AP automation handles invoice routing and approval workflow. It does not enforce the compliance logic that Indian statutory auditors check first: GSTR-2B reconciliation accuracy, TDS category classification, and vendor GSTIN integrity. These gaps sit outside most ERP AP modules and surface predictably in audit, even when automation has been live for two or three years.
The auditor's first question in Q4 review is not about invoice volume or approval turnaround times. It is: "Can you show me your GSTR-2B reconciliation for the last two quarters?"
That question targets the exact boundary where ERP AP logic ends and Indian compliance reality begins. The ERP confirms that an invoice was received, matched to a PO, approved, and paid. It does not confirm whether the vendor filed GSTR-1 correctly, whether the payment's GSTIN is still valid, or whether the ITC your team claimed will survive GSTN scrutiny.
For a CFO who deployed AP automation 18 months ago and watched invoice processing accuracy reach 93–95%, this is an uncomfortable moment. The ERP is working. The compliance gap sits outside it.
What does the auditor ask first — and why does it land where the ERP stops?
AP automation answers one question: was this invoice legitimate and properly approved within the organisation? Three-way matching confirms the PO, goods receipt, and invoice align. Workflow automation confirms the right approver signed off. Payment runs execute on schedule. None of these steps verify what the vendor did on their side of the GST portal.
GSTR-2B is a static, auto-generated statement released on the 14th of each month. It reflects only what vendors filed in GSTR-1 before the cut-off. If a vendor uploaded their GSTR-1 late, filed a B2C transaction instead of B2B, or entered an incorrect state GSTIN, the ITC does not appear in your GSTR-2B, regardless of what your ERP recorded.
Per industry benchmark ranges for mid-market manufacturing AP operations in India, 5–15% of supplier invoices carry GSTR-2B mismatches at any given reconciliation cycle. Across these companies, 7–12% of total monthly ITC is at risk of being blocked, delayed, or flagged. [These figures reflect modelled ranges for mid-market manufacturing operations — actual exposure depends on vendor mix and spend concentration.]
Three vendor-side failure patterns drive the majority of these mismatches:
- B2C misclassification: The vendor files a B2B transaction as B2C. No GSTIN is required for B2C, so the invoice never appears in GSTR-2B. The credit is invisible until the vendor files an amendment.
- Cut-off timing: The vendor uploads GSTR-1 after the 11th of the month. The transaction misses the GSTR-2B cycle. ITC is delayed, creating a temporary working capital gap with no ERP-side signal.
- State GSTIN errors: Multi-branch vendors enter the wrong state GSTIN or apply IGST where CGST/SGST was required. The mismatch fails GST portal validation silently.
The AP automation system confirmed the invoice was processed. It had no mechanism to verify the vendor's GST filing status before payment was released.
Under GST Rule 88D, as introduced via Finance Act 2022 and operationalised through subsequent GSTN advisories, if the ITC claimed in your GSTR-3B exceeds your GSTR-2B statement, the portal triggers an automated Form DRC-01C notice. [Interpretive — verify current applicability and notice workflow with your GST consultant before relying on this as a compliance position.] If a business claims an unmatched credit, tax authorities can force an ITC reversal, with an 18% per annum interest penalty on the discrepancy.
Per GSTN advisory guidance, the Invoice Management System (IMS) portal now allows AP teams to accept, reject, or mark vendor invoices as pending before they affect GSTR-2B, giving teams a statutory mechanism to manage reconciliation gaps before the monthly cut-off. Workflow requirements and eligibility criteria apply as per current GSTN advisory; verify your GST portal configuration before implementing.
For a full breakdown of the audit evidence trail in automated AP, see What Auditors Look for First in Automated AP Environments.
Which three findings appear in almost every AP audit after automation goes live?
GSTR-2B mismatches are the most visible finding. Two others surface consistently in post-automation statutory audits.
Finding 2 — TDS category boundary errors
TDS deduction errors do not block a payment. They accumulate. An IT consulting firm engaged for systems support is classified as a contractor in the vendor master. For 18 months, TDS is deducted at the Section 194C rate. The statutory auditor pulls the TDS deduction report and flags it.
Under the Income Tax Act 1961 as amended by Finance Act FY2025-26, the applicable rates for the most common AP boundary cases are as follows [interpretive, verified by Rajesh against Finance Act FY2025-26 and the Income Tax Department portal; apply with professional judgment for your vendor mix]:
| Section | Nature of Payment | Threshold | Rate (Company/Others) |
|---|---|---|---|
| 194C | Payments to contractors / sub-contractors | ₹30,000 single / ₹1,00,000 aggregate | 2% |
| 194J(a) | Fees for technical services, call centre, select royalties | ₹50,000 per FY | 2% |
| 194J(b) | Fees for professional services (legal, audit, engineering, medical) | ₹50,000 per FY | 10% |
| 194H | Commission or brokerage | ₹20,000 per FY | 2% |
The audit risk concentrates at two boundaries. A vendor providing IT systems support falls under technical services at 194J(a) at 2%, not under 194C at 2% as a contractor. The rate is identical, but the classification affects the vendor's TDS certificate and their own tax filing. A vendor providing software consulting or business advisory falls under professional services at 194J(b) at 10%, not technical services at 2%. The difference is 8 percentage points on every invoice, compounding over a financial year.
Section 194H was reduced from 5% to 2% effective FY2025-26. Any AP system carrying the legacy 5% rate for commission payments is deducting incorrectly. Where a vendor lacks a valid PAN, Section 206AA requires deduction at 20%; an ERP applying the standard rate without a PAN check is under-deducting.
The ERP applied the category recorded in the vendor master. No transaction-level classification check ran at invoice time. The category error is a vendor master problem, not an automation failure, but the audit finding lands on the finance team.
For a detailed treatment of TDS in AP automation, see TDS in Accounts Payable: Automating Deduction and Compliance in India.
Finding 3 — Vendor GSTIN drift
A vendor changes GSTIN due to branch restructuring, state registration change, or merger. AP automation continues routing payments to the GSTIN in the vendor master. The ERP invoice matches the master record and the transaction is clean inside the system.
The GST portal shows the payment went to an inactive or incorrect GSTIN. ITC validity on those payments is at risk. The vendor master update was not triggered because the automation had no mechanism to detect external GSTIN changes.
Statutory audits classify vendor master management as a high-risk area. Automation does not reduce this risk; it amplifies it, because the volume of payments routing through an unverified GSTIN is higher and faster.
What should a CFO do before the next audit to close the compliance gap?
The compliance checks that sit outside the ERP's scope by design require deliberate effort, not new software:
1. Run a GSTR-2B reconciliation for the last two completed quarters against ERP payment records. Pull every invoice where ERP confirmed payment but GSTR-2B shows no matching ITC. Quantify the exposure before the auditor does. If the gap is above 5% of invoices from your top 20 vendors by spend, the risk is material.
2. Pull the TDS deduction report by vendor category and spot-check every vendor classified as contractor (194C) who provides IT, legal, consulting, or agency services. The classification boundary between 194C, 194J(a), and 194J(b) is where most AP TDS audit findings originate. The 194H rate reduction to 2% from 5% should also be verified for any commission-based vendor relationships.
3. Cross-check vendor GSTINs against the GST portal for your top 30 vendors by annual spend. GSTIN changes are not notified to buyers. The vendor updates their own registration; your master data does not auto-update. A quarterly GSTIN validation pass closes this gap.
Indian statutory compliance requires verification against external government data: the GST portal, vendor filings, TDS certificates. The ERP was built to manage internal invoice processing. The audit finds the gap between these two layers.
If you want to see how IQInvoice surfaces these gaps before the audit does, request a demo.
Key observations
- GSTR-2B reconciliation, TDS category classification, and vendor GSTIN integrity are the three AP compliance areas most commonly flagged in Indian statutory audits after AP automation go-live
- Per industry benchmark ranges for mid-market manufacturing AP operations, 5–15% of supplier invoices may carry GSTR-2B mismatches; 7–12% of monthly ITC is at risk of being blocked or flagged
- ERP AP modules confirm invoice processing accuracy within the system; they do not confirm vendor-side GST filing status or GSTIN validity at the transaction level
- The TDS category boundary between Section 194J(a) at 2% and 194J(b) at 10% carries 8 percentage points of difference on professional services spend [interpretive, verified against Finance Act FY2025-26]
- Closing the compliance gap requires checks that run against the GST portal (vendor GSTIN validity, GSTR-2B filing status) and vendor TDS certificates, not against ERP records alone